Summary: | <net-mail/mailutils-3.8: maidag utility allows to write to arbitrary files (CVE-2019-18862) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Gualtieri <mike.gualtieri> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mike-gualtieri.com/files/GNU-Mailutils-VulnerabilityDisclosure-Nov19.txt | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
net-mail/mailutils-3.8
|
Runtime testing required: | --- |
Bug Depends on: | 704770 | ||
Bug Blocks: |
Description
Mike Gualtieri
2019-11-20 19:19:55 UTC
amd64 stable arm stable x86 stable ppc64 stable ia64 stable ppc stable fwiw, some arm64 USE=kerberos builds are failing, but not all. USE='berkdb -bidi clients emacs -gdbm -guile -ipv6 kerberos -kyotocabinet ldap mysql nls pam postgres -python -sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8 USE='-berkdb bidi clients -emacs -gdbm guile ipv6 kerberos -kyotocabinet ldap -mysql nls pam -postgres -python sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8 Before it was failing to link with heimdal as virtual/krb5 provider, but now I converted back to mit-krb5 and it seems to still fail, but don't have fresh logs handy. Once I have cycles to spend further on this, this would be converted to a dependent bug report then. Maybe someone else wants to give those USE combinations a try meanwhile. arm64 stable. @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3af573c26166f7ea1a1e4aeec071866417a3d1a commit e3af573c26166f7ea1a1e4aeec071866417a3d1a Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-05-13 06:50:22 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-05-13 06:51:07 +0000 net-mail/mailutils: cleanup Bug: https://bugs.gentoo.org/700806 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/mailutils/Manifest | 2 - net-mail/mailutils/files/hdr.at | 36 ------ .../files/mailutils-3.4-MH-testsuite.patch | 70 ----------- .../files/mailutils-3.4-fix-endianness.patch | 122 ------------------ .../mailutils/files/mailutils-3.4-fno-common.patch | 11 -- net-mail/mailutils/files/nohdr.at | 26 ---- net-mail/mailutils/files/twomsg.at | 73 ----------- net-mail/mailutils/files/weed.at | 29 ----- net-mail/mailutils/mailutils-3.4-r3.ebuild | 140 --------------------- net-mail/mailutils/mailutils-3.7.ebuild | 140 --------------------- 10 files changed, 649 deletions(-) Thanks! This issue was resolved and addressed in GLSA 202006-12 at https://security.gentoo.org/glsa/202006-12 by GLSA coordinator Aaron Bauman (b-man). |